Risk Assessment —

Drive-by malware blocked by new BLADE software

A new system named BLADE promises to provide effective protection against …

A new tool developed by researchers at Georgia Tech and SRI International could provide an effective countermeasure against drive-by download attacks. The researchers claim that the software, BLADE ("Block All Drive-by Download Exploits), provides cross-browser protection against a wide range of real threats.

Drive-by attacks, in which an attacker exploits flaws in a browser or its plugins to silently download and install malicious software, are increasingly common, with many millions of hostile pages found on the Internet. With drive-by attacks sometimes being distributed by advertising networks, even careful Web users can find their browsers at risk of infection by this kind of malware.

The BLADE system works by blocking access to any executable program that a Web browser makes, if that access was not preceded by a user's explicit authorization for the download. Most browsers give users the opportunity to confirm or deny downloads; drive-bys, however, use security flaws to bypass this user intervention. BLADE tracks user actions—clicking a button to permit a download—and uses this information to selectively prevent access to downloaded files. The software also records both the URL and downloaded file, allowing further analysis by security professionals.

BLADE cannot prevent all attacks (for example, those that do not depend on creating persistent files on victims' computers would not be trapped), but the researchers' testing suggests that it's effective against a broad range of real-world exploits.

The testing suggested much greater efficacy than conventional anti-virus software. This is likely to be due at least in part to the generalized nature of the protection; rather than detecting malware with particular signatures, BLADE blocks any suspicious download activity.

The BLADE software should be available to download for Windows shortly. Though it appears effective, it's less obvious that the technique will ever be capable of providing widespread protection: if BLADE-like software became the norm, attackers would just use alternative routes to propagate their malware.